Stateful Greybox Fuzzing

Many bugs in protocol implementations may only manifest when the system is in a particular "state". For instance, to trigger one of the bugs we found in an RTSP implementation, the fuzzer must first send two different types of messages to usher the protocol implementation from the INIT via the READY to the PLAY state where the bug is exposed. Without knowledge of the protocol, it is inherently difficult for a fuzzer to discover such stateful bugs. A key challenge in fuzzing stateful systems, therefore, is to cover the state space without an explicit specification of the protocol. So, how can we help our fuzzer navigate an unknown state space? In our analysis of the Top-50 most widely used open-source protocol implementations, we found that every implementation uses state variables that are assigned named constants (such as INIT, READY) to represent the current state. In this work, we propose to automatically identify such state variables and track the sequence of values assigned to them during fuzzing to produce a "map" of the explored state space. Our stateful greybox fuzzing approach uses this map to focus on the most promising regions of the code and state space. Our experiments confirm that our stateful fuzzer discovers stateful bugs twice as fast as the baseline greybox fuzzer that we extended. The state sequence for an input is determined by the sequence of values assigned to the state variables during its execution. Starting from the initial state, our fuzzer exercises one order of magnitude more state sequences and covers the same code two times faster than the baseline fuzzer. Several zero-day bugs in prominent protocol implementations were found by our fuzzer, and 8 CVEs have been assigned.